[Pkg-shadow-commits] r176 - in trunk/debian: . patches

Nicolas FRANCOIS pkg-shadow-devel@lists.alioth.debian.org
Mon, 23 May 2005 21:53:20 +0000 

Author: nekral-guest
Date: 2005-05-23 21:53:20 +0000 (Mon, 23 May 2005)
New Revision: 176

Added:
   trunk/debian/patches/330_CAN-2004-1001_passwd_check
Modified:
   trunk/debian/changelog
   trunk/debian/patches/series
Log:
Add the patch for CAN-2004-1001.


Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	2005-05-23 21:00:28 UTC (rev 175)
+++ trunk/debian/changelog	2005-05-23 21:53:20 UTC (rev 176)
@@ -1,5 +1,8 @@
 shadow (1:4.0.3-35) UNRELEASED; urgency=low 
 
+  * Re-apply the debian/patches/036_CAN-2004-1001_passwd_check patch
+    which fixed the "Adjusted password check to fix authentication bypass"
+    security issue (CAN-2004-1001)
   * Debian packaging fixes:
     - Add --host to config_options on cross build. Patch from NIIBE Yutaka.
       Closes: #283729

Added: trunk/debian/patches/330_CAN-2004-1001_passwd_check
===================================================================
--- trunk/debian/patches/330_CAN-2004-1001_passwd_check	2005-05-23 21:00:28 UTC (rev 175)
+++ trunk/debian/patches/330_CAN-2004-1001_passwd_check	2005-05-23 21:53:20 UTC (rev 176)
@@ -0,0 +1,19 @@
+Goal: Adjusted password check to fix authentication bypass (Martin Schulze)
+Fixes: CAN-2004-1001
+
+Status wrt upstream: already applied upstream.
+
+Index: shadow-4.0.3/libmisc/pwdcheck.c
+===================================================================
+--- shadow-4.0.3.orig/libmisc/pwdcheck.c	2000-10-15 19:07:26.000000000 +0200
++++ shadow-4.0.3/libmisc/pwdcheck.c	2005-05-23 23:34:09.467134000 +0200
+@@ -40,7 +40,8 @@
+ 	retcode = pam_acct_mgmt(pamh, 0);
+ 	if (retcode == PAM_NEW_AUTHTOK_REQD) {
+ 		retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+-	} else if (retcode)
++	}
++	if (retcode)
+ 		goto bailout;
+ 
+ 	if (pam_setcred(pamh, 0))

Modified: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series	2005-05-23 21:00:28 UTC (rev 175)
+++ trunk/debian/patches/series	2005-05-23 21:53:20 UTC (rev 176)
@@ -73,6 +73,7 @@
 327_newgrp_162303
 328_successful_password_change
 329_libmisc_failure_ngettext
+330_CAN-2004-1001_passwd_check
 401_cppw_src.dpatch
 403_sg_symlink_162339_163652.dpatch
 404_undef_USE_PAM.dpatch